topic Re: How can I break events within events . in Splunk Search

How can I break events within events?

Sujithkumarkb — Mon, 25 Apr 2022 14:35:51 GMT

I have middleware .out file to be monitored with Splunk.
The events are breaking with respect to the time stamps as below

1/16/20
12:27:17.553 PM
Jan 16, 2020 1:57:17,553 AM EST Warning Socket BEA-000449bClosing the socket, as no data read from it on ,322 during the configured idle timeout of 5 seconds.

1/16/20
12:24:17.274 PM
Jan 16, 2020 1:54:17,274 AM EST Error oracle.soa.management.internal.ejb.impl.FacadeFinderBeanImp BEA-000000 No Facade Fault Recovery Service found for Engine type : service

But i have an event in this log file which is breaking based on time stamp but single event isgoing beyond 800 1000lines . sample event below

Jan 16, 2020 1:54:05,062 AM EST Error oracle.soa.bpel.engine.dispatch BEA-00000 Transaction rolledback, Transaction key = Name=[EJB
** Cikey: 100174
** ComponentDN: default/CommsProcessFulfillmentOrderBillingAccountListEBF!1.0*soa_50970aa3-f91e-430a-83db-70b3c1beafd9/CommsProcessFulfillmentOrderBillingAccountListEBF
** FlowId: 100048

** Set of Audit Events in currently rolledback transaction:

** Scope Id: 0
** Audit Event Date: Thu, 16 Jan 2020 01:54:04.300 EST
** Audit Message: New instance of BPEL process "1.0" initiated (# "CommsProcessFulfillmentOrderBillingAccountListEBF").

** Audit Detail: null

** Scope Id: BpSeq13.3
** Audit Event Date: Thu, 16 Jan 2020 01:54:04.301 EST
** Audit Message: Received "initiate" call from partner "client"
** Audit Detail:
CommsProcessFulfillmentOrderBillingAccountListReqMsg part name="ProcessFulfillmentOrderBillingAccountListEBM" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"bProcessFulfillmentOrderBillingAccountListEBM
** Audit Event Attributes:
** wikey: 100174-BpRcv0-BpSeq13.3-1
** label: receiveInput

** state: 5

** Scope Id: BpSeq13.3
** Audit Event Date: Thu, 16 Jan 2020 01:54:04.302 EST
** Audit Message: bpelx:exec executed
** Audit Detail: null
** Audit Event Attributes:
** wikey: 100174-BxExe0-BpSeq13.3-2
** label: Set_Title
** state: 5

This event is more than 1000lines with lot of scope ID paragraph and I get a Show all 800lines message , and when I expand the Splunk goes into hung state.
Though i can use Truncate and max_events value in props , how can i handle or break one big event with more than 800 lines based on the ScopeID and also keep other events breaking based on timestamp as well .

Re: How can I break events within events .

vsai0718 — Mon, 27 Jan 2020 21:23:00 GMT

Try creating a field extraction on the UI with regex.

Re: How can I break events within events .

jkat54 — Wed, 30 Sep 2020 03:49:30 GMT

In props.conf

[your_sourcetype]
LINE_BREAKER = ^()\w{3}\s\d\d|Scope Id

Re: How can I break events within events .

lernauti — Mon, 25 Apr 2022 12:28:58 GMT

Re: How can I break events within events .

lernauti — Tue, 26 Apr 2022 11:06:46 GMT

Wow, thanks for this thread. I didn't even think about splitting events within events. I'm still trying to figure out the Splunk search language, and I don't always get what I want the first time. I hope I won't bother anyone with my comment if I use it to "bookmark" the topic 🙂 I prefer to appear in all thematic forums and ask thousands of stupid questions to everyone. This is how I prevent possible errors, and it's better than carrying the hard drive to the file recovery procedure later due to a series of wrong actions.